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(54) Copy protection apparatus and method 

(57) An apparatus and method of copy protection 
for use in digital data recorders such as DVD-RAM 
recorders (30). which includes using DVD disks (1) with 
unique serial numbers stored in a read only part (2) of 
the disk for recording data. The serial number of each 
disk together with other copy control information is digit- 
ally signed. The digital signature is verified at the DVD 



player/recorder (13, 30) to check whether the disk being 
played is an original disk or an authorised copy. If not, 
play back and recording of the data on the disk is pre- 
vented. The use of copy control information also allows 
the implementation of a copy generation management 
system. 



13 








14 




15 






reading 




CCI 




playback 




device 




verifier 




device 



16 



Figure 5 



CD 

*r 

CO 
GO 

o 

Q- 
LU 



Printed by Xerox (UK) Business Services 
2.16.7/3.6 



SDOCID: *EP 0984346A1_I_> 



EP 0984 346 A1 



Description 



[0001] This invention relates to copyprotection, partic- 
ularly but not exclusively to an apparatus and method 
for protecting digital data on a data storage medium 
from unauthorised copying. 

[0002] Although digital media such as audio CDs and 
CD-ROMs allow perfect reproduction of digital data 
stored on them, the proof ems-of -control ling unauthor- 
ised reproduction have so far been mitigated to some 
extent by the fact that these media have generally only 
been available in a read-only format, so that the poten- 
tial infringer needed specialist recording and CD-press- 
ing equipment to make high quality copies. 
[0003] However, the introduction into the consumer 
market of recordable digital storage technology, includ- 
ing CD-R (Write Once) and CD-RW (Rewritable), as 
well as Digital Versatile Disk (DVD) technology, which 
aims to make low cost digital recorders widely available, 
has raised the need for sophisticated copy protection 
systems, to prevent extensive piracy. It is envisaged that 
DVD recorders, known as DVD-RAM recorders, will 
eventually replace the various different forms of cur- 
rently available storage equipment, including computer 
hard-disk drives and video cassette recorders. 
[0004] The principles of DVD technology are well 
established, with DVD-RAM recorders such as the 
Hitachi GF- 1000 series available on the market. Refer- 
ence is directed to 'DVD Demystified", by Jim Taylor 
published by McGraw-Hill, 1998, for further information 
on DVD principles. 

[0005] Without any form of copy control, films, audio 
recordings and other digital content distributed on DVD 
disk or CD-ROM, can be easily recorded by a DVD- 
RAM, or other digital recorder, onto a digital data stor- 
age medium such as a recordable DVD disk, from which 
they can be further copied numerous times onto other 
DVD disks, without any degradation in the copy quality. 
[0006] To prevent unauthorised copying, devices sold 
to consumers incorporate copy protection mechanisms. 
For example, copy protection information can be 
embedded rn-the-data-sector of a DVD disk, as illus- 
trated in "DVD Demystified", by Jim Taylor at page 128. 
A possible method of copy control using such embed- 
ded information is for the digital content provider to sup- 
ply the film or other digital content on a read-only 
medium, for example a DVD-ROM disk, with a "Never- 
Copy" flag embedded in the data. The DVD 
player/recorder will check for the presence of this flag 
and, if an attempt ismade to copy the disk when the flag 
is present, the recording circuitry will prevent recording. 
However, this type of protection can be circumvented by 
using DVD- ROM/RAM drives as peripherals for comput- 
ers, so as to enable copying of the data from an original 
disk onto a recordable disk on a bit-by-bit basis, includ- 
ing the copy protection information. 
[0007] To prevent such bypassing of the protection 
scheme, some DVD players are designed to check for 



the presence of Never-Copy flags on recordable cr Ks 
as opposed to ROM disks. The presence of such a -sg 
on a recordable disk is taken to indicate that the dis-s is 
an unauthorised copy of an original ROM disk, so that 
5 playback of the data on the disk will be prevented. On 
the other hand, if the player detects that a ROM disk is 
being used, it will play back the data on the disk. 
[0008] However, this scheme works on the premise 
that a computer user copying the disk will copy all of the 
io data on a bit-by-bit basis, including the Never-Copy flag 
The scheme can still be easily bypassed by the compu- 
ter user who knows or determines where the copy con- 
trol information is located on an original ROM disk, and 
who can therefore change or overwrite this information 
is when making a copy of the original disk onto a recorda- 
ble disk. 

[0009] A further problem with the above described 
protection scheme is that it is inflexible, with no way of 
providing for a copy generation management system 
20 (CGMS). which governs the extent to which copying is 
permitted. 

[0010] For example, there is no way of providing for 
the contents of an original data storage medium to be 
copied to a back-up medium, while preventing the prcr 
25 duction of a further generation of copies from the back- 
up medium. 

[0011] The present invention aims to address the 
above problems. 

[001 2] According to the present invention, there is pro- 
30 vided apparatus for processing data stored on a storage 
medium which has a medium identifier, the apparatus 
including means for controlling the processing of the 
stored data in dependence on the relationship between 
the medium identifier and verification information for the 
35 medium identifier stored on the medium. 

[0013] The medium identifier may be a first medium 
identifier and the verification information can comprise a 
second medium identifier, so that the apparatus can 
prevent playback or recording if the first and second 
40 medium identifiers are different. 

[0014] in the case of an original disk, the second 
medium identifier may be a copy of the first medium 
identifier. 

[001 5] The apparatus may include means for authen- 
45 ticating the verification information. The verification 
information may, for example, be digitally signed, and 
the authentication means may comprise means for ver- 
ifying a digital signature. 

[0016] The present invention further provides a 
so method of processing data stored on a storage medium 
which has a medium identifier and verification informa- 
tion for the identifier stored on the medium, comprising 
controlling the processing of the stored data in depend- 
ence on the relationship between the medium identifier 
55 and the verification information. 

[001 7] The present invention also provides recording 
apparatus for recording data onto a data storage 
medium having a medium identifier, comprising means 
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for producing verification information for the medium 
identifier, said verification information to be stored on 
the medium. 

[001 8] The recording apparatus may include means 
for controlling recording onto the medium in response to s 
copy control data stored on a medium from which the 
data is being recorded. 

[0019] The present invention additionally provides a 
method of recording data onto a data storage medium 
having a medium identifier, comprising producing verrf i- to 
cation information for the medium identifier to be stored 
on the medium. 

[0020] According to the present invention, there is fur- 
ther provided a data storage medium comprising a 
medium identifier and verification information for the 15 
identifier stored on the medium. 

[0021] Advantageously, in accordance with the inven- 
tion, digital data on a data storage medium can be pro- 
tected from unauthorised copying even if the copy 
protection information in the data is falsified. In addition, 20 
the protection scheme provides for the generation of 
legitimate copies, such as backup copies. 
[0022] Embodiments of the invention will now be 
described by way of example with reference to the 
accompanying drawings, in which: 25 

Figure 1 is a schematic diagram of a DVD disk 
according to the invention: 

Figure 2 is a schematic block diagram of apparatus 
used to manufacture the disk of Figure 1 ; 30 
Figure 3 is a schematic block diagram illustrating an 
example of the recording apparatus to be used by 
content providers to produce copy protected disks; 
Figure 4 is a flow diagram illustrating the operation 
of the recording apparatus of Figure 3; 35 
Figure 5 is a schematic block diagram of a DVD 
player according to the invention; 
Figure 6 is a llow diagram illustrating the operation 
of the player of Figure 5; 

Figure 7 is a flow diagram illustrating the detailed 40 
operation of the recording apparatus of Figure 3 
and player of Figure 5 based on a given example of 
copy control information; 

Figure 8 is a schematic block diagram of recording 

apparatus to be used by content providers accord- 45 

ing to a further example of the invention; 

Figure 9 is a flow diagram illustrating the operation 

of the recording apparatus of Figure 8; 

Figure 10 is a schematic block diagram of a data 

recording device according to the invention to be so 

used in a consumer device; 

Figure 1 1 is a flow diagram illustrating the operation 

of the recording apparatus of Figure 10; 

Figure 1 2 is a flow diagram illustrating the detailed 

operation of the recording apparatus of Figure 8 for 55 

the case where copying of an original disk is not 

permitted; 

Figure 13 is a flow diagram illustrating the detailed 



operation of the player of Figure 5 where the disk 
being played is recorded in accordance with the 
recording operation illustrated in Figure 12; 
Figure 1 4 is a flow diagram illustrating the detailed 
operation of the recording apparatus of Figure 8 for 
the case where one generation of copies from an 
original disk is permitted; 

Figure 1 5 is a flow diagram illustrating the detailed 
operation of the player of Figure 5 where the disk 
being played is recorded in accordance with the 
recording operation illustrated in Figure 14; 
Figure 16 is a flow diagram illustrating the. detailed 
operation of the recording device of Figure 10 for 
the case where the data being recorded was itself 
recorded in accordance with the recording opera- 
tion illustrated in Figure 14; and 
Figure 1 7 is a flow diagram illustrating the detailed 
operation of the player of Figure 5 where the disk 
being played is recorded in accordance with the 
recording operation illustrated in Figure 16. 

[0023] Referring to Figure 1 , a DVD disk 1 according 
to the invention comprises an identification area 2 and a 
data area 3. The identification area is located on a read- 
only part of the disk, so that only the manufacturer of the 
disk can write information to this area during manufac- 
ture of the disk 1. For example, the identification area 2 
can be the burst cutting area of a DVD disk, as further 
described in "DVD Demystified", by Jim Taylor, at pages 
125 - 126. 

[0024] Referring to Figure 2, a blank DVD disk 4 is first 
produced by conventional manufacturing steps by a 
medium generator 5. DVD media manufacturing proc- 
esses are similar to those used to produce CD-R and 
CD-RW disks. A medium identifier generator 6, for 
example a computer running serial number generation 
software, produces a unique identifier, for example, a 
serial number, which is written to the burst cutting area 
2 of the blank DVD disk 4 by a medium identifier printer 
7 so as to produce the blank DVD disk 1 ready for data 
recording. The medium identifier printer 7 is, for exam- 
ple, a laser configured to cut a series of bar-code like 
stripes in the burst cutting area 2 to represent the serial 
number. While, in practice, the identifier may well be 
unique, this is not an essential requirement, the criterion 
being that, to prevent extensive copying, it should be 
sufficiently unlikely that a consumer will be readily able 
to obtain disks having the same identification number. 
[0025] The accessibility of the data area 3 of the DVD 
disk 1 depends on the type of disk involved. In the case 
of a DVD-ROM disk, this area is read-only. A DVD-ROM 
disk can be produced by stamping it from a master copy, 
as described in "DVD Demystified", by Jim Taylor, at 
pages 121 - 123. This is the most cost-effective process 
when producing a very large number of disks. Other 
manufacturing techniques for DVD-ROM disks enable 
the incorporation of unique data onto each individual 
disk. 
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[0026] In the case of a DVD-R (Write-Once) disk, the 
manufacturer produces a Wank disk which includes, for 
example, a unique serial number- in the identification 
area 2. The data area 3 is however available to be writ- 
ten to, once only, by the content provider, using conven- 5 
tional data writing apparatus. Once the content provider 
has written data to the disk, it essentially behaves as a 
DVD-ROM, and cannot be rewritten by the consumer. 
[0027] Alternatively, the disk 1 may be a DVD-RAM 
(Rewritable) disk, typically distributed as a blank disk for 10 
recording and re-recording by consumers. 
[0028] The principles behind the production of a pre- 
recorded disk for distribution to consumers are illus- 
trated below by reference to a DVD-R disk 1 , for exam- 
ple produced by the manufacturing arrangement 15 
illustrated in Figure 2, as a result of which the content 
provider receives blank disks from the disk manufac- 
turer, each having a unique disk identifier, for example, 
a serial number, written in the identification area 2 at the 
manufacturing stage. The content provider can then 20 
record a film, audio data or other digital content, gener- 
ically referred to herein as data, and other relevant infor- 
mation to the disk 1 , as explained by reference to the 
recording apparatus 8 illustrated in Figure 3. 
[0029] One example of the recording apparatus 8 to 25 
be used by the content provider comprises a reading 
device 9 for reading the disk identifier from the read-only 
part 2 of the DVD disk 1, a copy control information 
(CCI) generator 10 and a recording module 11 for 
recording the generated copy control information 30 
together, with.the-data.from.a.data.archive 12 onto the 
diskl. 

[0030] Referring to Figure 4, which describes the 
operation of the recording apparatus 8, at step si. the 
reading device 9 reads the disk identifier from the disk 1 35 
being recorded and passes the identifier to the CCI gen- 
erator 10, which produces verification information for 
the disk identifier in the form of copy control information 
(s2). At step s3, the recording module 1 1 reads the data 
from the data archive 12 and records this onto the disk 40 
1 together with the copy control information from the 
CCI generator 10 (s4). The resulting pre-recorded disk 
1 is referred to herein as the original disk. 
[0031] Referring to Figure 5, a DVD player 13 accord- 
ing to the invention comprises a reading device 14, a 45 
CCI verifier module 15 and a playback device 16. Refer- 
ring to Figure 6, which describes the operation of the 
player 13, at step s5, the reading device 14 reads the 
data, copy control information and the disk identifier 
from the disk 1 being played and sends this information so 
to the CCI verifier module 15. At step s6. the verifier 
module 1 5 attempts to verify the copy control informa- 
tion, namely to determine from the copy control informa- 
tion and the disk identifier whether the disk being played 
is anoriginaldiskran authorised copy or an unauthor- 55 
ised copy. If verification is successful, control passes to 
step s7 and the playback device 16 plays back the data. 
If verification is unsuccessful, control passes to step s8 



and playback is prevented, since failure of the verifica- 
tion process is taken to mean that the disk being read is 
an unauthorised copy. 

[0032] In all of the examples of the invention described 
herein, devices required to read and write data to DVD 
disks, such as the recording module 11, reading 
devices 9, 1 4 and the playback device 1 6, can be imple- 
mented by conventional circuitry as currently used in 
commercially available DVD player/recorders such as 
the Hitachi GF-1000 series. The functionality of the 
blocks required to implement the invention, such as the 
CCI generator 10 and CCI verifier 15 can be imple- 
mented in software on conventional microprocessor 
based circuitry. 

[0033] One example of the copy control information 
which can be recorded onto the disk 1 is simply a copy 
of the original disk identifier read by the reading device 
9 in the recording apparatus 8. Referring to Figure 7, at 
step s9, the reading device 9 reads a disk identifier S d 
from the original disk and at step s10 stores S d as the 
copy control information. At step si 1 the recording mod- 
ule 11 reads data from the data archive 12 and then 
records the data and S d to the data area 3 of the disk 1 
(s12). At steps 13, the reading device 14 in the player 19 
reads Sp, the disk identifier of the disk being played, 
from the burst cutting area 2 of the disk 1 and sends it to 
the CCI verifier 15. It also reads the copy control infor- 
mation, namely S d , from the data area 3 of the disk 1 . At 
step s14, the CCI verifier 15 compares the actual disk 
identifier S p with the copy of the original disk identifier 
S d . Jf the original disk has not been copied, the two. iden- 
tifiers, for example the serial number of each disk, will 
be identical and a signal will be sent to the playback 
device 16 (si 5) indicating that the disk can be played. 
On the other hand, if the original disk has been copied, 
so that all the data on it has been transferred to a new 
disk, then the disk identifier S p in the burst cutting area 
2 of the new disk will be different from the original disk 
identifier S d copied over to the data area 3 of the new 
disk. In this case, a signal is sent to the playback device 
16 (s16) that the disk is an unauthorised copy and 
therefore cannot be played. 

[0034] The use of a copy of the original disk identifier 
as the copy control information provides a form of play- 
back copy control simitar to the use of a Never-Copy flag 
as described above. Therefore, while the making of a 
copy of an original disk is not itself prevented, a DVD 
player according to this example will not play back the 
data on the copy. Furthermore, the making of a second 
generation of copies from the copied disk can itself be 
prevented by a recording device which provides the 
same verification check as the player 13, as illustrated 
at steps s14 to s16. This works because the recording 
device recognises a first generation copy as one in 
which Sp * S d and so can prevent further recording. 
[0035] To prevent a consumer from bypassing the pro- 
tection provided by the copy control method described 
above, it is envisaged that the copy control information 
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should itself be protected against access and alteration. 
[0036] An example of a suitable form of protection is 
the use of a digital signature, which can be based on a 
public key. cryptographic system. Methods of forming 
digital signatures are well known and digital signature 
software is commercially available, for example from 
RSA Data. Security Inc. California. USA, which uses the 
well-known RSA public- key-algorithm. The principles of 
public key systems and their use in digital signatures 
are set out below. For a more detailed description, refer- 
ence is directed to Bruce Schneier. "Applied Cryptogra- 
phy", John Wiley & Sons. Inc. 1996, ISBN 0-471-1 1 709- 
9. 

[0037] Public key encryption is based on the use of an 
asymmetric pair of mutually inverse mathematical oper- 
ations known as a key pair 

[0038] For example.- assurring that E is a public key 
algorithm, then the notation E K (m) signifies the encryp- 
tion of a message m usmg a key K. 
[0039] H K and K 1 axe key pairs for E. then 
E K (E K ,(m)) = m. So a message encrypted with a key 
K~ 1 , referred to herein as the private key, can be 
decrypted by applying the key K. referred to herein as 
the public key. Public key cryptography is based on the 
fact that it is currently nor computationally feasible to 
calculate one part of the key pair from the other part rf 
the bit length of the key ts large enough, for example 
512 bits or larger. 

[0040] A digital signature can be based on a public key 
algorithm and a one way hash function. A hash function 
is any function which takes a variable- length input string 
and-converts it to a f ixed-*ength and generally smaller 
output string known as the hash value. A one way hash 
function is a function for which, given a message m, it is 
easy to calculate a hash value c • H(m) , but for which it 
is difficult to calculate m. starting from a given hash 
value c. It is generally computationally unfeasible to cal- 
culate m from c if the output txt length of H is large 
enough, for example 128 t>ts or larger. Reference is fur- 
ther directed to Bruce Schneie/. "Applied Cryptogra- 
phy", pages-29-to -3i-and-38 to 39. and to D.W. Davies 
and W.L Price. "The Application of Digital Signatures 
Based on Public-Key Cryptosysterns". Proceedings of 
the Fifth International Computer Communications Con- 
ference, October 1980. pp 525 • 530 and National 
Physical Laboratory Report DNACS 39/80. December 
1980. 

[0041] The way in which a digital signature can be 
used is illustrated below. 

[0042] For example, X wishes to send a message to 
Y We assume that the content of the message is not 
secret, but that Y wishes to be sure that the message 
originated from X and that it is una her ed by any third 
party. Therefore. X generates key pairs K and K* 1 for 
public key algorithm E. X keeps the private key K" 1 
secret and opens key K to the public. Then X generates 
the message m and signs it digitally, by: 



w 



15 



20 



1 . calculating c = H(m) , where H is a known hash 
function 

2. encrypting c by E using private key K" 1 ie. 
digital signature = E K -i(c) 

[0043] The digital signature is referred to herein as 
Si&c-iM, 



so that the above equation can be written as 
Sig i(m)=E ,(c) 

[0044] When Y receives the message m, he can verify 
the digital signature using X's public key K, by: 

1 . calculating c' = H(m) 

2. decrypting 



Ek->(c) 



using key K to obtain c, ie. c = E K (E K i(c)) 
3. comparing c and c' * 

25 [0045] H c = c' , the verification succeeds, otherwise it 
fails. 

[0046] The verification will fait if the message m has 
been changed in any way, since in that case the hash of 
the message c' will change. Alternatively, the verification 
30 will fait if the digital signature has been falsified. Since X 
is the only person who has access to the private key K" 
\ X is the only person capable of generating the correct 
digital signature which can be verified by the public key 
K. 

35 [0047] Referring again to Figure 3, to apply the above 
described form of protection in the simple case outlined 
above of using a copy of the original disk identifier to 
verify the authenticity of a disk being played, the CCI 
generator 10 in the recording apparatus 8 includes an 

40 input from a key pair generator which generates a key 
pair K, K" 1 . Key pair generator software, including gen- 
erators for specific algorithms such as the DSA and 
RSA algorithms, is widely available commercially, and 
can, for example, be implemented in the Java™ pro- 

45 gramming language. The Java™ API, for example, 
includes a key pair generator class known as java. secu- 
rity. KeyPairGenerator. A disk identifier S d , where S d 
represents the disk identifier of the original disk, is read 
from the disk 1 by the reading device 9 and a digital sig- 

so nature 



55 is formed using the private key K* 1 and a suitable one- 
way hash function H(x) which is fixed at both the record- 
ing apparatus and the player. 

[0048] An example of a suitable hash function is the 
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Secure Hash Algorithm (SHA) described at pages 442 - 
445, "Applied Cryptography", referred to above. This 
algorithm accepts a variable length input bit stream and 
outputs a 160 bit hash. Typically, knowledge of the hash 
function decided on will be limited to the recording 5 
apparatus/player equipment vendors on the basis of a 
non-disclosure agreement. The digital signature 



SigK-i(Sd) 



10 



is recorded onto the disk 1 by the recording module 1 1 
together with the public key K. 

[0049] Referring again to Figure 5, at the player 1 3, 
the reading device 1 4 reads the public key K and is 

Sig K -i(Sd) 



from the data area 3 and the disk identifier S p from the 20 
identifier area 2 of the disk 1 being played. The CCI ver- 
ifier 15 calculates the hash value H(S p ) and uses K to 
decrypt 



Si gK-'(Sd) 



25 



so as to obtain the hash value H(S d ). It then compares 
these two hash values. If S d and S p are identical, 
because the disk being played is the original disk, then 30 
the hash values are also identical, then verification is 
successful and a signal is sent to the playback device 
16 permitting playback. If S d and S p are not identical, 
because the disk being played is a copy of the original 
disk, then their hash values will be different, so that the 35 
verification process fails, which triggers a signal to the 
playback device 16 to prevent playback. 
Since the content provider is the only one to have 
access to the private key K'\ it is the only one that can 
correctly encrypt the serial number or other identifier of 40 
the original disk. 

[0050] To permit more complex control over copying, 
further information can be included as part of the copy 
control information, for example, a copy control field 
which is capable of implementing copy generation man- 45 
agement. 

[0051 ] Figures 8 and 9 explain the general structure of 
another example of a recording apparatus 20 for use by 
a content provider and the steps involved in the produc- 
tion of a pre-recorded copy protected disk. so 
[0052] At step s1 7. a key pairs generator module 21 
generates key pairs of the public algorithm for signature 
verification. At step s18, a reading device 22 reads the 
identifier of the DVD disk 1 , for example a serial number, 
from the read-only part 2 of the disk 1. At step s19. a 55 
copy control information (CCI) generator 23 produces 
copy control information including a digital signature on 
the basis of the keys, identifier and a copy control field 



from a copy control field (CCF) database 24. The copy 
control field can take one of at least four values, includ- 
ing Copy-Freely, Never-Copy. Copy-Once and No-More- 
Copy. The actual information which goes to make up the 
copy control information will be explained in more detail 
below. At step s20, a recording module 25 reads the 
data to be written to the DVD disk 1 from a data archive 
26 and at step s21 , writes the data and the copy control 
information from the CCI generator 23 to the DVD disk 1 
to produce the finished copy protected pre-recorded 
DVD disk 

[0053] The general structure and functionality of a 
DVD player has already been described by reference to 
Figures 5 and 6. 

[0054] Figure 1 0 illustrates the structure of a recording 
device 30 in accordance with the invention for use by 
consumers to record data onto recordable disks. Refer- 
ring to Figures 10 and 1 1, at step s22, the input signal 
processor module 31 receives copy control information 
and data to be recorded from a disk player 13 as 
described above, and sends them to a CCI verifier mod- 
ule 32 and a CCI generator 33. At step s23. the CCI ver- 
ifier 32 attempts to verify the copy control information. 
The CCI verifier 32 performs the same verification func- 
tion as the CCI verifier 15 in the player 13,-andif the 
player and recording device are implemented as a sin- 
gle unit, the verifier 32 is implemented by the same cir- 
cuitry or by the same software function. If, however, the 
recording device 30 is a separate unit from the player 
13, the CCI verifier 32 is implemented as a double 
checking facility and to provide a verification function for 
a player which may not include copy protection facilities. 
[0055] If verification fails at this stage (s23), control 
passes to step s29, and recording of the data onto a 
new disk is prevented. If verification succeeds, then 
control passes to step s24, at which the CCI verifier 32 
determines rf the copy control field indicates that the 
data can be freely copied, for example, because of the 
presence of a Copy-Freely flag. If the data can be freely 
copied, control passes to step s28, at which the record- 
ing module 34 records the copy control information and 
the data to a new disk 35. If, at step s24, the copy-con- 
trol information indicates that data cannot be freely cop- 
ied, control passes to step s25, at which the CCI verifier 
32 determines if the copy control field indicates that the 
data can be copied only once, for example, because of 
the presence of a Copy-Once flag. If the flag is not a 
Copy-Once flag, the conclusion is that a Never-Copy or 
No-More-Copy flag is set, and control also passes to 
step s29 where recording is prevented. H, on the other 
hand, at step s25. the copy control information indicates 
that the Copy-Once flag is set, control passes to step 
s26, at which the reading device 36 reads the medium 
identifier of the new disk 35 from the read-only part of 
that disk and sends this identifier to the CCI generator 
33. At step s27, the CCI generator changes the copy 
control field from Copy-Once to Copy-No-More and 
generates new copy control information to be recorded 
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onto the disk 35 by the recording module 34. The nature 
of the new copy control information is explained in detail 
below. 

[0056] The precise nature of the copy control informa- 
tion which is written to an original disk depends on the 
level of protection which a content provider wishes to 
achieve. For example, the provider may decide that the 
content of,-for-example, its.Dv*D-audio disk can never be 
copied. On the other hand, the provider may wish to 
provide its customers with the ability to make a back-up 
copy of the original, but not to produce further copies. 
The way in which these goals can be achieved is 
explained below using the following notation: 
[0057] ID is information identifying the content pro- 
vider. This can include the provider's name, the name of 
the content, its date of production and so on. CCF rep- 
resents the copy control field, which can take the values 
Copy-Freely, Never -Copy. Copy-Once and No-More- 
Copy, as explained above. A and A' are used as conven- 
ient notation to group the provider dependent informa- 
tion ID and CCF together, for example, by 
concatenation. such that A = ID : CCF and 
A' = ID : CCF' , where CCF' represents a change in the 
value of the copy control field when recording onto a 
new disk. Sd.S c and Sp aredisk identifiers printed on the 
read-only part of the disk. They cannot therefore be 
changed by the consumer. S d represents the disk iden- 
tifier of the original disk, S c represents the disk identifier 
of the disk to which the original disk can be legitimately 
copied and Sp represents the disk identifier of the disk 
being played. It will be understood that Sp can take the 
values of S d and S c where, respectively, the original disk 
and a legitimate copy of the original disk are being 
played. K A and 



K 



A' 



are key pairs for the digital signature of the content pro- 
vider. K M and 



are key pairs for the digital signature required to imple- 
ment the CGMS scheme, for example to ensure that a 
copy is only made from the original and not from a copy 
of the original. 

[0058] Referring to Figures 8 and 12. in the case 
where a content provider wishes to prohibit all copying 
from the original disk, including the making of a backup 
copy, at step s30, the CCF flag is set to Never-Copy. At 
step s31, the key pairs generator module 21 generates 
key pairs K A and 



K 



A" 1 * 



as described above for the first example. The reading 
device 22 then reads Su from the read-only part of the 
disk 1 (s32) and the CCI generator 23 calculates the 
digital signature 

SigK A i (S d , A) 



at step s33. The copy control information in this case 
io comprises 



is 



20 



25 



30 



SO 



55 



Sig* A -i (S d , A), 



A and K A The recording module 25 then reads data 
from the data archive 25 (s34) and at step s35 writes the 
data to the disk 1 together with the copy control informa- 
tion from the CCI generator 23. 

[0059] Referring to Figures 5 and 1 3, when a DVD 
disk 1 encoded with the above data is inserted into a 
DVD player 13, at step s40 the reading device 14 reads 
Sp from the read-only part 2 of the disk 1 . It also reads 
the copy control information, namely A, K A and t 



SigK A -i (S d , A), 



from the data area 3. The CCI verifier 15 then verifies 
the digital signature 



using S d , A and l A at step s41. If the verification suc- 
35 ceeds, control pa: 'ses to step s42 and the data is played 
back. Otherwise, control passes to step s43, where 
playback of data is prevented. To further explain the 
operation of this example, the verification process is 
explained in detail below. 
ao [0060] Knowing Sp read from the identification area 2 
of the disk and A read from the data area 3 of the disk 1 , 
it is possible to calculate a function c* using a one-way 
hash function H, such that c* - H(m) , where 
m = (S p , A) . Therefore, C - H(S p , A) . 
45 [0061] The function H is the same function as was 
used at the recording apparatus 20 to produce a func- 
tion c = H( S d , A) . This function is obtained by decrypt- 
ing 



SigK A -i (S d , A) 



using the public key K A read from the data area 3 of the 
diskl. 

[0062] rf c = C , ie. H(S d , A) = H(S p . A) , this verifies 
that both A and Sp are unchanged from the time of 
recording, and in particular that S p = S d . namely that 
the serial number on the disk being played is identical to 
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the serial number of the disk on which the data was 
recorded. On the assumption that the serial numbers 
are unique, this means that the disk being played is the 
original disk and so playback of the data it contains is 
permitted, ff the verification fails, the disk beirig played 
is, assumed to be a copy and playback is therefore pre- 
vented. 

[0063] Referring to Figures 8 and 14, in the case 
where a corrtent.provtder wishes to provide the facility 
for the making of a backup copy from the original disk 
only, step s50 is to set the Copy Control Field to Copy- 
Once. At step s51. the key pairs generator module 21 
generates key parrs K A and K A 1 , as well as K M and K M ' 
1 . The reading device 22 then reads S d from the read- 
only part of the disk 1 (s52) and the CCI generator 23 
calculates the digital signature 

Sig* A i (S d , A, 

at step s53. The recording module 25 then reads data 
from the data archive 26 (s$4) and at step s55 writes the 
data to the disk 1 together with the copy control informa- 
tion from the CCI generator 23. which comprises A K A 
Km. K m " 1 and 



10 



15 



20 



25 



The purpose of including K M in the verification proce- 
dure is to ensure that K M has not been falsified, since 
bom parts of the key pair K M 

and are included, and therefore available to a potential 
infringer, on the original disk. If the verification proce- 
dure succeeds, then at step s73, the reading device 36 
reads S c from the read-only part of the destination disk 
35. The CCI generator 33 changes the copy control field 
of A from Copy-Once to No-More-Copy and stores it as 
A' (s74). It then calculates the digital signature 

SigK M -i(S c , A') 

(s75) and at step s76 writes S d . A, K M , K A , 



SigK A -t(S d> A, Km), 



A and 



SigK A -, (S,,. A, K„). 



SigK, 



[0064] Referring to Figures 5 and 15. when a DVD 
disk 1, encoded with the above data, is inserted into a 
DVD player 1 3, at step s60. the r eadng device 1 4 reads 
S p from the read-only part 2 of the disk 1. It also reads 
the copy control information, namely A, K A , K M , Km' 1 
and 

from the data area 3 of the disk 1 The CCI verifier mod- 
ule 15 then verifies the digital signature 



30 [0066] Referring to Figures 5 and 1 7, to play back data 
from a disk which is marked with a No-More-Copy flagr 
at step s80 the reading device 14 reads Sp, from the 
read-only part 2 of the disk 35. It also reads the copy 
control information, namely S d . A, K M , K A , 

35 

SigK A -i(S d , A, KJ, 

A' and 

40 

SigK M -i(S c , A') 



SigK A -i (S d , A, KJ 

using S d , A, K M and K A (step S61 ) as explained in detail 
above. If the verification succeeds, control passes to 
step s62 and the data is played back. Otherwise, control 
passes to step s63, where playback of data is pre- 
vented. 

[0065] Since it is permitted to make a backup copy of 
the original disk, the detailed operation of the recording 
device 30 shown in Figure 10. is set out in the flowchart 
of Figure 16. Referring also to Figures 10 and 15, steps 
s70 and s71 are identical to steps s60 and s61 as car- 
ried out by the playback device. If the vesication proce- 
dure fails, ail further processing is stopped at step s72. 



from the data area 3 of the disk (s81). The CCI verifier 
45 1 5 then verifies the digital signature 

SigK A -i(S d , A, Km) 

so using S d , A, ^ (s82). This step verifies that the key K M 
used in the second part of the verification process has 
not itself been falsified. If verification fails, playback is 
stopped (step s85). If verification succeeds, then at step 
s83, the CCI verifier module 15 verifies the second dig- 
ital signature 
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SigKM-»(S c > A ') 

using Sp. A* and K M . If S p = S c , then this step verifies 5 
that the copied disk has not itself been copied, so pre- 9. 
ventng playback of second generation copies. If verifi- 
cation succeeds the playback device 1 7 plays back the 
data (sS4). otherwise play back is prevented (s85). 
[0067] h will be appreciated that the method according w 
to the invention can be used in any general digital 
recording system where a unique or nearly unique iden- 
tify can be associated with a storage medium. This 
includes, tor example, smart card RAM memories with 
some ROM memo» y lor immutable storage of the identi- 15 
f«* 

(0068] R wrfi tether be appreciated that although a 
scfteme based on trie public key algorithm has been 
desotoed m deta>i. other means of implementing a dig- 
ital signature are not excluded. 20 

Claims 



Apparatus according to claim 7, wherein the verifi- 
cation information is digitally signed, and the 
authentication means comprises means for verify- 
ing a digital signature. 

Apparatus according to any preceding claim, fur- 
ther comprising means for controlling the recording 
of data from the medium. 



1 0. Apparatus according to daim 9, wherein the record- 
ing control means is responsive to copy control data 
stored on the medium. 

11. Apparatus according to claim 10, wherein the copy 
control data specifies that the medium can be cop- 
ied freely, copied once or cannot be copied. 

12. Apparatus according to claim 10 or 11, wherein the 
copy control data is digitally signed. 

13. Apparatus according to any preceding claim com- 
prising a DVD player. 



1 . Apparatus icy processing data stored on a storage 
medrum which has a medium identifier, the appara- 
tus including means for controlling the processing 
of the stored data m dependence on the relation- 
sh*5 between the medium identifier and verification 
information tor the medium identifier stored on the 
medium 

2. Apparatus accordng to claim 1, wherein the 
medium identifier is stored on a read-only part of 
the medium 

3. Apparatus according to claim 1 or 2, wherein the 
medium identifier comprises a first medium identi- 
fier and the verification information includes a sec- 
ond medium identifier. 

4. Apparatus according to claim 3, wherein the con- 
trolling means is responsive to a comparison 
between the first medium identifier and the second 
medium identifier. 

5. Apparatus according to daim 4. wherein the con- 
trolling means prevents playback of the data if the 
first and second medium identifiers are different. 

6. Apparatus according to claim 4 or 5, wherein the 
controlling means prevents recording of the data if 
the first and second medium identifiers are differ- 
ent. 

7. Apparatus according to any preceding daim, fur- 
ther comprising means for authenticating the verifi- 
cation information. 



14. Apparatus according to daim 13. wherein the 
25 medium comprises a DVD disk 

15. A method of processing data stored on a storage 
medium which has a medium identifier and verifica- 
tion information for the identifier stored on the 

30 medium, comprising controlling the processing of 
the stored data in dependence on the relationship 
between the medium identifier and the verification 
information. 

35 1 6. Recording apparatus for recording data onto a data 
storage medium having a medium identifier, com- 
prising means for producing verification information 
for the medium identifier, said verification informa- 
tion to be stored on the medium. 

40 

17. Apparatus according to claim 16, including means 
for digitally signing the verification information. 

18. Apparatus according to claim 16 or 17, wherein the 
45 verification information comprises the medium 

identifier. 

19. Apparatus according to any one of claims 16 to 18 
including means for controlling recording onto the 

so medium in response to copy control data stored on 
a medium from which the data is being recorded. 

20. A method of recording data onto a data storage 
medium having a medium identifier, comprising 

55 producing verification information for the medium 
identifier to be stored on the medium. 

21 . A method according to claim 20, comprising read- 
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ing-the-medium -identifier from a read only part of 
the medium. 

22. A method according to claim 20 or 21, comprising 
protecting the verification information using a digital s 
signature. 



18 



23. A data storage medium comprising a medium iden- 
tifier and verification-information for the identifier 
stored on the.medium. 
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